CyberWire Daily - Chinese espionage in Central Asia. Dixons Carphone data exposure. Lazy State speculative execution bug. Pyongyang is expected to come roaring back into cyberspace. Unlucky 13. Chinese espionage in Central Asia. Dixons Carphone data exposure. Lazy State sp
Episode Date: June 14, 2018In today's podcast, we hear that LuckyMouse has crept into an unnamed Central Asian house. Dixons Carphone data exposure presents complex legal and regulatory issues—it's the first big incident... since GDPR came into effect. "Lazy State" is another CPU speculative execution bug. The US Congress doesn't care for ZTE, Australia's government is wary of Huawei, and the EU doesn't like Kaspersky at all. If you didn't like the end of net neutrality, wait until you get a load of the proposed EU Copyright Regulation's Article 13. More hacking expected from Pyongyang. Dr. Charles Clancy from VA Tech, discussing research on antifragile communications. Guest is Stacey Smith from CAMI on MD's legislation supporting cyber security businesses. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Lucky Mouse creeps into a Central Asian house.
Dixon's car phone data exposure presents complex legal and regulatory issues.
It's the first big incident since GDPR came into effect.
Lazy State is another CPU speculative execution bug.
The U.S. Congress doesn't care for ZTE.
Australia's government is wary of Huawei.
And the EU doesn't like Kaspersky at all.
If you didn't like the end of net neutrality,
wait until you get a load of the proposed EU copyright regulations Article 13.
And more hacking is expected from Pyongyang.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 14, 2018.
your CyberWire summary for Thursday, June 14, 2018.
Researchers at Kaspersky Lab report an espionage campaign against an unnamed Central Asian country's servers.
The evidence points to a Chinese threat group
tracked variously as Lucky Mouse, Emissary Panda, APT27,
and Threat Group 3390.
The campaign hit a national data center.
Kaspersky researchers think the goal is probably
to inject malicious JavaScript code into government websites
connected to the data center,
thereby transforming those websites into watering holes.
It's unclear how Lucky Mouse crept in,
but the researchers speculate that a watering hole attack
gave the threat group its initial entree.
Dixon's Carphone, the large British electronics retailer,
has sustained a big data breach that it disclosed earlier this week.
Data for almost 6 million customers' pay cards were exposed in the incident.
Dixon says the effect of the loss was limited.
Most of the cards were chip and pin, and the information loss was partial,
not enough to be of much immediate use to criminals.
Dixon says it notified the card companies promptly,
and they've seen no evidence of fraud emerging from the breach so far.
It's too early, however, to say that the people whose data were affected are out of the woods.
early, however, to say that the people whose data were affected are out of the woods. Criminals can try to build on the limited information they do have to work up usable profiles of the victims.
Dixon's also said that 1.2 million records with non-financial personal data—names, email addresses,
physical addresses, and the like—were also exposed. They've seen no fraud resulting from
these either, but the same principle applies here.
Such information can find cumulatively more damaging uses. The company is referring to
the incident as an attempted hack, but better safe than sorry. So if you are or were a Dixon's
customer, here's some advice, courtesy of Sophos and their Naked Security blog. It has applicability to most
breaches of this kind. First, watch your statements for unusual transactions. Second, because some
personal data was lost, if you get an email or a phone call from someone asking you to verify
account or payment details, don't bite, no matter how much plausibility the details may lend to the
phishing. And finally, if you think your
pay card was compromised, cancel it and ask the provider to issue you a new one. British authorities,
including the National Crime Authority, the National Cyber Security Center, the Financial
Conduct Authority, and the Information Commissioner's Office, are all investigating. The complexity of
the investigation and the number of different agencies involved
suggests its importance.
Not only are national regulations increasingly prescriptive,
but this is also the first major breach
since GDPR came fully into effect late last month.
Fines could be heavy.
How this case is handled may shape expectations
for future enforcement actions.
Cybersecurity continues to be a hot market segment, with no immediate signs of slowing down.
For communities looking to attract businesses, cyber companies often bring well-educated,
affluent employees, and there can be significant investment in technology and infrastructure as
well. So it makes sense that U.S. states would work up incentives to
be more alluring than their neighboring states for those coveted jobs. Our home state of Maryland
recently did just that. Stacey Smith is executive director of CAMI, the Cybersecurity Association
of Maryland. Senate Bill 228 was passed through the legislative process this year in Annapolis, Maryland,
and the bill was called the Cybersecurity Incentive Tax Credits Bill.
And essentially it has two sides to it.
One side is a tax credit that incentivizes entities and individuals to invest in Maryland cybersecurity technology companies.
And the other side provides a tax credit for small Maryland
businesses to buy their cybersecurity solutions locally from Maryland cybersecurity providers.
And that could be the purchase of both services and products.
So let's go through each of those individually, what the state is hoping to get out of them,
and why that's a good investment against the tax base?
Maryland has had a tax credit in place for the investor side, providing a tax credit to
cybersecurity companies when an individual or an entity invested in them. However, that isn't as
valuable to a cybersecurity company as providing the investment or the tax credit incentive to an investor to
invest in that. So the state feels that it will attract more investment dollars to Maryland
cybersecurity companies that have or to companies that have an innovative cybersecurity technology
that they would like to bring to the market. On the other side, the Buy Local, this is a
nationally unique tax credit program. And we're especially excited
about it at our organization because we're focused solely on helping Maryland cybersecurity
companies grow by connecting them with potential customers. So to hear about an opportunity for
a tax credit like this to be passed through legislation was very exciting to us. And so
we spent a lot of time in Annapolis trying to bring this bill to the finish line, and luckily it happened. The advantage of this is that it will not only help our Maryland
cybersecurity companies, another tool, I guess you could say, in their sales kit,
by being able to say to a company, if you buy this product or service from me, you'll get a tax
credit. But it's also providing a very needed resource to small
businesses who may not be investing in any way yet in cybersecurity. A lot of them will tell you,
small businesses will say that they might not know who to go to for cybersecurity products or
services, but more critical for them is having the funding to be able to afford cybersecurity
products or services.
It was interesting to see that the bill got bipartisan support. I'm curious,
how does it compare to some of your neighboring states? And do you expect this to be sort of a
competitive thing as states in the region do their best to attract these sorts of businesses?
Well, it'll definitely be a great tool for
attracting cyber companies to come to the area, also cyber companies to stay in the area. Also,
maybe some businesses that are looking to locate somewhere, you know, tax credits are a huge plus
in deciding where to locate. As far as neighboring states, we have not been able to find any state in the nation that has
any kind of a tax credit like this. But I can tell you that with the promotions that we've done thus
far, we have been contacted by several to understand what the details are of this bill
and actually talking with some other states about some of the cybersecurity programs that they're
lobbying to put into place and kind of just learning from each other what would be
good for the industry, what's good for business, what's good for the cyber companies as well.
And it was really exciting and refreshing to see the bipartisan effort for this. The bill started
as the investor incentive tax credit bill, and it was put forth by Howard County Senator Guy
Gazzone, and Governor Hogan had the buy local
portion. And together they realized that both bills had a better chance of passing if they took
the key elements from both and essentially combined them into one bill and put it forth as a bill
together. And luckily that worked. And we saw, you know, legislators on both sides saying, hey,
if this is good for the industry, it doesn't matter
who brought what part forth. Let's just get this thing finished. And it passed on the very last
day of our legislative session. We're certainly excited about it. That's Stacey Smith. She's
executive director of CHEMI, the Cybersecurity Association of Maryland. Intel reports finding another CPU security issue in its core-based processors.
Called Lazy State, the bug is already addressed in some systems.
Other mitigations will follow.
It's another speculative execution flaw, assessed by most observers as being of moderate
and not severe importance, hard to exploit and easy to fix, as ZDNet notes.
Chinese and Russian companies continue to face headwinds driven by security concerns in different
national markets. ZTE's recovery remains in doubt, and the company remains in very bad odor with the
U.S. Congress. Australia's government is very leery of Huawei, and although Huawei says it's
still very much in the bidding,
Australia is considering excluding the company from any work related to the build-out of the national 5G system.
This is a long-standing disquiet on the part of Australian authorities.
Last year they moved to block Huawei's participation in an undersea cable that would have served Papua and transited Australian territory.
Kaspersky was hit with a significant setback in Western Europe.
The European Parliament yesterday voted overwhelmingly in favor of a ban on the company's security products from official networks.
Proposed EU copyright laws have aroused considerable alarm.
The end of the Internet as we know it is widely predicted.
Much opposition derives from a proposal to essentially extend content moderation to the Internet as a whole.
Article 13 of the proposed European Copyright Directive would require anyone posting any content for public use or viewing to run it through a copyright filter.
Such filtering is thought to represent essentially the same approach as YouTube's current content filter.
Any text, audio, imagery, or video that flunked the filter's check would,
if the EU regulation were adopted, be blocked from the Internet.
One of the problems critics see with Article 13 is its apparent overlooking of copy fraud,
falsely claiming intellectual property rights over content one in fact has no ownership of.
And the proposal does seem to combine unreliable technical content filtering
with a cumbersome and onerous compliance regime.
North Korea is widely expected to resume its ambitious program of cyber operations
following the modified limited restraint it displayed during the run-up to this week's U.S. DPRK summit.
We know, we know, this is betting on form.
And we know that North Korean hacking expected has become an evergreen headline,
right up there with Heat Wave Hits Elderly Hardest,
or Brazil Rising Power in the Western Hemisphere,
or Cleveland fans expect disappointment,
or even EU regulation threatens freedom of speech.
Still, betting on form isn't a bad bet, especially in this case.
Expect more badness out of Pyongyang. challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
I saw on your Twitter feed you made note of a journal paper that mentioned something called anti-fragile communications.
This caught my eye.
Describe what's going on here.
So anti-fragile is the opposite of fragile.
If something is fragile, then it is brittle.
It breaks easily.
And if you look at trying to build a resilient communication system, certainly you don't want a fragile one that is easy to disrupt.
Right. system, certainly you don't want a fragile one that is easy to disrupt. And generally,
you want something that is resilient, meaning that it responds reasonably well in the face of adversarial conditions, whether that's hostile jamming or just general interference.
Anti-fragile seeks to take that a step further, where rather than being degraded but being able
to bounce back in the face of adversarial RF environment, an antifragile communication system would actually be able to take advantage
of the hostile elements in the environment to improve its performance.
And how does it do that?
So a specific example would be as you look at jamming technology.
It used to be jammers would just blast out Gaussian noise
that was completely unrelated to the signal they were
seeking to jam. Spark gap generator, that sort of thing? Exactly. As we've seen over the last
probably 10 years, jammers have gotten more sophisticated. They are creating waveforms
that are specifically targeting their adversary's signals and are, in some cases, designing signals specifically to target adversaries as they've
transmitted over the air. So anytime an adversary is making decisions about how to jam you and what
energy to transmit based on what you're doing, you can actually use that against them and use
their jamming signal as a way to amplify your own signal. So the simple example might be if you have
a signal, a weak signal that can
transmit on two different channels, channel A or channel B, and you have a smart jammer that is
transmitting high power jamming signal on channel A or channel B, you basically just bounce back
and forth between channel A and channel B. One represents a one and the other represents a zero.
And the jammer is sort of playing whack-a-mole and jamming you, but the person you're
communicating with can just observe what channel the jammer is jamming in order to decode your
signal. That's interesting. So yes, using the ability for the jammer to be agile in this case
is actually to your benefit and not theirs. Exactly. Now, of course, this is very proof
of concept and preliminary.
I certainly haven't demonstrated this against any actual systems in the world,
but it's a really interesting example of a proof point that there may be a whole additional realm of robust and resilient communications,
particularly military users, can explore over the coming years in order to ensure that their systems are available
in the face of an increasingly sophisticated adversary. All right. Well, it's interesting stuff as always. Dr. Charles Clancy,
thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.